postfix and selinux [selinux updates broke postfix?]
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you use "audit2allow -M", it should create the .pp file as well as the .te file, so there will me no need to perform the make. Before installing the .pp module, check the .te to see that it contains appropriate (approximately) changes to SELinux. If you don't like something in the .te file, then edit the file to remove the bad stuff and use make to recreate the .pp from the modified .te. When you're happy, then install the module with semodule -i.
1.learn to use audit
2. get audit to log the postfix avc messages
3. use audit2allow to create a .te file
4. makefile to make a pp
5. semodule it to install it
Okiedoke, audit daemon installed and started "service auditd start" and my audit log filled up straight away, also in the messages log it states that the audit dispacher is initialised...w00t w00t i got audit logs to look at, which are entirely different to the "messages" log, i wonder if they are better..
Code:
Mar 12 19:06:44 HOSTNAME auditd[15512]: Started dispatcher: /sbin/audispd pid: 15514
Mar 12 19:06:44 HOSTNAME audispd: af_unix plugin initialized
Mar 12 19:06:44 HOSTNAME audispd: audispd initialized with q_depth=80 and 1 active plugins
Mar 12 19:06:44 HOSTNAME auditd[15512]: Init complete, auditd 1.7.5 listening for events (startup state enable)
Ok, so the audit log shows avc denied's for ; sendmail, postdrop and clean up...before i build a .te and .pp for insertion in the selinux policy i'm just gonna search the net a bit for these;
Cleared the audit.log, and sent an email with selinux on to generate the avc messages in audit.log so i can use the command | audit2allow -M mypostfix2 < /var/log/audit/audit.log | to create a .te file to edit;
here is the content of this latest .te file generated by the above command and my cleaned audit.log, can anyone advise me on what i should adjust/remove to allow postfix to sendmail and not compromise my system, thanks;
Code:
module mypostfix2 1.0;
require {
type unconfined_t;
type var_run_t;
type sshd_t;
type postfix_postdrop_t;
type httpd_t;
type system_mail_t;
type postfix_cleanup_t;
class nscd { shmempwd getpwd };
class unix_stream_socket connectto;
class file { read write };
}
require {
type unconfined_t;
type var_run_t;
type sshd_t;
type postfix_postdrop_t;
type httpd_t;
type system_mail_t;
type postfix_cleanup_t;
class nscd { shmempwd getpwd };
class unix_stream_socket connectto;
class file { read write };
}
#============= httpd_t ==============
allow httpd_t unconfined_t:unix_stream_socket connectto;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t unconfined_t:unix_stream_socket connectto;
allow postfix_cleanup_t var_run_t:file { read write };
#============= postfix_postdrop_t ==============
allow postfix_postdrop_t unconfined_t:unix_stream_socket connectto;
#============= sshd_t ==============
allow sshd_t unconfined_t:nscd { shmempwd getpwd };
#============= system_mail_t ==============
allow system_mail_t unconfined_t:unix_stream_socket connectto;
Last edited by rjcroasdale; 03-14-2010 at 09:44 PM.
Ok I just added the whole thing (the above .te file made into a .pp file) to the active selinux modules, and postfix still wont send mail with selinux turned on! OMG!
;[
Last edited by rjcroasdale; 03-14-2010 at 10:04 PM.
I would also remove the module you created. You shouldn't need any of the sshd or httpd stuff in it to get this postfix problem fixed.
Can you post some of the audit.log file that is created when you try to send an email?
Thanks
Yey! My mentor is here, seriously you should get a gold star cos i am such a
yeah it was the first thing i did...removed both modules i added and checked the /etc/selinux/targeted/modules/active/modules folder to make sure they had gone after i did
Code:
semodule -r mypostfix2
because i noticed the ssh being in there.
OH POOSTICKS!
Code:
touch /.autorelabel
init 6
and the SSH disconnected me, the websites are down and refuses to reconnect via ssh!
SV_PANIC-OVER = 1
OK, so 2 mins later and the server is responding again, what do those commands do?
scared me to death!
Last edited by rjcroasdale; 03-14-2010 at 11:35 PM.
The first command created an empty file called .autorelabel in the root directory. Nothing sinister there.
The second command (init 6) told the system to change to runlevel 6, which is the reboot level. So it simply rebooted the machine. When the machine rebooted though, it found the .autorelabel file which tells the server to reset the SELinux contexts for all of your files. This basically tells SELinux to start from scratch and relabel each file in terms of what the file can and can't do, based on the SELinux idea of the world. It's like chcon or restorecon, but on a global scale. Use "ls -lZ /pick/any/file/you/like" and you will see the SELinux context values that would have been re-evaluated (and changed if it was wrong) by the relabel at the reboot. Once the relabel has been done, the .autorelabel file is deleted to prevent another relabel when the machine boots next time.
Anyway, it looks like your problem is solved, which is fantastic. Let me know if you want more details about any of this at all.
Thanks for the info, i panic'd big-time when i got the "connection lost" and "conenction refused" from putty and my websites were not responding, but i didn't know that you could reboot the machine with a command like that now i know.
I do really need to read up more on selinux, i really dont know what
Code:
unconfined_u:object_r:admin_home_t:s0
means....
I'm re-scanning my server for PCI secruity now, and will have to read up on selinux, but yes, it works which is great, just not sure if i've relabeled the files at the same "selinux" security level or not, but that is now a separate issue for me to learn.
Thanks for your help, you are the only one who did! like i said in my post above you are a star, hope to stay in touch, speak soon
Last edited by rjcroasdale; 03-15-2010 at 01:08 AM.
To be frank, I don't know what that means either. If I need to learn, I Google it then. The best SELinux command I can give you is something like this:-
Code:
chcon --reference=thisfile someotherfile
and
chcon -R --reference=thisfile-or-dir someotherdir
This changes the context of files, or directories (recursively with the -R), to that of an existing file. So if you know the context of an existing file or dir is OK, then you can change the context of other files to match it. I use this a lot - especially with web content. For example:-
Other than that, pay attention to your audit.log file (now that you've got one!).
Best wishes, and hopefully we'll cross paths again. You have my email, so if you get stuck and no-one else is responding (I tend to take vacations from this site), please feel free to contact me directly
Well this is great, almost 10 years ago. I now know more about SELINUX now and like it very much. Will maybe do a audit profile for some open source software that recommends to turn off selinux. It has to rw allow httpd, httpd_sys_content_rw_t, and a port or two 'tcontext=system_ubject_r:zope_port_t:s0'. Seems like a legit thing to do for their community. Anyway, LQ, Blacky = Ty all. (^_^)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.